Protect your data with site isolation

Chrome version 63 and later

Applies to managed Chrome browsers and ChromeOS devices.

As a Chrome administrator, you can protect Chrome browser users who visit untrusted sites by using site isolation.

Site isolation separates pages from different websites into different processes. When site isolation is turned on, it's harder for malicious sites to bypass security measures that exist to prevent data theft. It can block the processes from receiving certain types of sensitive data from other sites and a malicious website will find it much more difficult to steal data from other sites, even if it can break some rules in its own process.

Site isolation applies to sites such as https://example.com and usually groups together other origins within that site such as https://a.example.com.

Site isolation is enabled by default on Desktop platforms as of Chrome 76, and for most sites that users log into on Android as of Chrome 77. Learn more about Site isolation.

You can block users from disabling site isolation, and you can isolate more specific origins within sites of your choice. On Android, you can also enable site isolation for all sites.

Step 1: Review policies

Policy Description and settings
SitePerProcess

Windows, Mac, and Linux

When enabled—Site isolation is enabled for all websites for your entire organization. All sites that users visit will run in a dedicated rendering process, isolated from each other. Users cannot opt out of site isolation using, for example, chrome://flags.

When disabled or unset—Site isolation remains enabled but users can opt out using, for example, chrome://flags.

IsolateOrigins

Windows, Mac, and Linux

When enabled—Isolates additional specific origins that users visit. Origins you specify run in a dedicated rendering process. You can include origins that users sign in to and other origins that contain sensitive information, such as productivity sites or intranet sites.

When disabled or unset—Site isolation remains enabled but no additional origins will be isolated. Users can list additional origins to isolate using, for example, chrome://flags.

SitePerProcessAndroid

Android

When enabled—Applies to Android devices with at least 1 GB RAM. Turns on site isolation for all websites for your entire organization. All sites that users visit will run in a dedicated rendering process, isolated from each other. Users cannot opt out of site isolation using, for example, chrome://flags.

When unset—Applies to M77 or later and Android devices with at least 2 GB RAM. Site isolation is enabled only for sites that users sign into.

When disabled—Site isolation is turned off entirely. This policy overrides the settings for both sites that users sign into and the IsolateOriginsAndroid policy.

IsolateOriginsAndroid

Android

When enabled—Applies to Android devices with at least 1 GB RAM. Isolates additional specific origins that users visit. Origins you specify run in a dedicated rendering process. You can include origins that users sign in to and other origins that contain sensitive information, such as productivity sites or intranet sites.

When unset—Applies to M77 or later and Android devices with at least 2 GB RAM. Site isolation is enabled only for sites that users sign into.

When disabled—Site isolation is turned off entirely. This policy overrides the SitePerProcessAndroid policy.

Step 2: Create a list of sites to isolate

On Chrome 76 and earlier, you create a list of all of the origins that you want to isolate by specifying each origin in full. For example:
https://a.example.com, https://b.example.com, ;https://c.example.com.

From Chrome 77 and later, you can also specify a range of origins to isolate using a wildcard.

For example, specifying https://[*.]example.com isolates https://a.example.com, https://b.example.com, and https://c.example.com. In addition, it isolates any matching origin under https://[*.]example.com, such as:

  • https://a1.example.com
  • https://a2.a1.example.com
  • https://a3.a2.a1.example.com

You can use the wildcard notation to isolate a whole range of origins in a convenient way. For example, specifying https://[*.]corp.solarmora.com ensures that all Solarmora corporate origins are isolated.

Step 3: Turn on site isolation

Click below for steps, based on how you want to manage these policies.

Admin console

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, Linux or Android. For details, see Understand when settings apply.

Important: Make sure Managed Chrome browser is turned on for the organization.

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  2. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Go to the Site isolation section.
  4. For Windows, Mac, and Linux, click Site isolation:
    1. To require site isolation for all websites:
      1. Select Require site isolation for all websites, as well as any origins below.
      2. (Optional) Enter additional origins, separated by commas, that you want to isolate from their respective websites. For example, enter https://login.example.com to keep it isolated from the rest of https://example.com.
      3. Click Save. Or, you might click Override for an organizational unit.

        To later restore the inherited value, click Inherit

    2. To enable isolation for all websites but also allow users to opt out of site isolation for specific websites (default):
      1. Select Enable site isolation for all websites and any origins below, but allow users to opt out.
      2. (Optional) Enter a list of websites and origins, separated by commas, that you want to isolate.
      3. Click Save. Or, you might click Override for an organizational unit.

        To later restore the inherited value, click Inherit

    For Android, click Site isolation (Chrome on Android):
    1. To turn on site isolation for login websites only (default):
      1. Select Turn on site isolation only for login sites, as well as any origins below.
      2. (Optional) Enter a list of websites and origins, separated by commas, that you want to isolate.
      3. Click Save.
    2. To allow users to choose if they want to enable site isolation:
      1. Select Allow user to choose to enable site isolation.
      2. (Optional) Enter a list of websites and origins, separated by commas, that you want to isolate.
      3. Click Save. Or, you might click Override for an organizational unit.

        To later restore the inherited value, click Inherit

    3. To turn on site isolation for all websites:
      1. Select Turn on site isolation for all websites, as well as any origins below.
      2. (Optional) Enter a list of websites and origins, separated by commas, that you want to isolate.
      3. Click Save. Or, you might click Override for an organizational unit.

        To later restore the inherited value, click Inherit

Windows
Applies to Windows users who sign in to a managed account on Chrome browser.

Using Group Policy

In Group Policy Editor, go to Computer or User Configuration and then Policies and then Administrative Templates and then Google and then Google Chrome for both policies below.

Require site isolation for all websites

Note: Site Isolation is always enabled on Windows, and the SitePerProcess policy is only used to prevent the user from opting out.

Leaving this policy Not Configured uses the Unset behavior described above.

  1. Locate and enable Enable Site Isolation for every website.
    Tip: If you don’t see this policy, download the latest policy template.

  2. Deploy the update to your users.

Turn on site isolation for specific origins

Leaving this policy Not Configured uses the Unset behavior described above.

  1. Test site isolation for these sites locally using the command line flag:
    - - isolate-origins=https://[*.]example.com, https://subdomain.example.org
  2. Locate and enable Enable Site Isolation for specified origins.

    Tip: If you don’t see this policy, download the latest policy template.

  3. Enter URLs for isolation in a comma-separated list.
    Example:https://[*.]example.com/,https://subdomain.example.org

  4. Deploy the update to your users.
Mac
Applies to Mac users who sign in to a managed account on Chrome browser.

In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users.

<dict>
<key>SitePerProcess</key>
  <true/>
</dict>
<dict>
<key>IsolateOrigins</key>
  <string>”https://www.site1.com,https://www.site2.net”</string>
</dict>

Linux
Applies to Linux users who sign in to a managed account on Chrome browser.

Using your preferred JSON file editor:

  1. Go to your etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file and enter URLs as needed:
    • SitePerProcess—Set to true to require the policy.
    • IsolateOrigins—Add the URLs that you want to isolate.
  3. Test site isolation for these sites locally using the command line flag:
    - - isolate-origins=https://[*.]example.com, https://subdomain.example.org
  4. Deploy the update to your users.

This example shows how to require the SitePerProcess policy:

{
”SitePerProcess": "true”
}


This example shows how to isolate a.example.com and b.example.net:
{
“IsolateOrigins”:”https://a.example.com/,https://b.example.net/”
}

Step 4: Verify policies have been applied

After you apply any Chrome policies, users need to restart Chrome browser for the setting to take effect. You can check users’ devices to make sure the policy was applied correctly.

  1. On a managed ChromeOS device, browse to chrome://policy.
  2. Click Reload policies.
  3. Check the Show policies with no value set box.
  4. For the policies you set, make sure Status is set to OK.
  5. For each policy, click Show value and make sure that the value fields are the same as what you set in the policy.

Turn off site isolation (Android only)

To turn off site isolation, disable the Android policies you set above.

After you disable the isolation policy, Chrome uses its pre-site isolation process model to render websites. Different sites might share processes with each other. And cross-site frames might be rendered in the same process as their parent page. Disabling a policy disables field trials of both policies.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
17412145732491952257
true
Search Help Center
true
true
true
true
true
410864
false
false